Commit Graph

27 Commits

Author SHA1 Message Date
Michael Pratt
7012f2e18f tools/libressl: disable assembly code for all hosts
This SSL library is for hosts only
and not shipped as a build product,
therefore its performance quality (speed) is not critical.

Assembly code is broken in LibreSSL for some x86_64 hosts (part of git history)
and for some RISC host archs like armv7l, aarch64, powerpc, ppc64, etc...
so let's just disable it for all hosts.

For example, this fixes an instance on ARM hosts
where the host Python 3 builds broken modules which link to LibreSSL,
even with patches that enable LibreSSL support
with the import error "unexpected reloc type 3".

Ref: a395563f6 ("build: fix libressl build on x32 (amd64ilp32) host ")
Suggested-by: Andre Heider <a.heider@gmail.com>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
2022-07-31 18:46:23 +02:00
Michael Pratt
b2e2deeb8d tools/libressl: ensure PIC-only object compilation
Line up configure arguments for cleaner git diff and editing and grepping.

LibreSSL must be built with PIC, and has the flags for it already in CFLAGS.
Add the configure option native to LibreSSL to use only PIC in objects,
which further enforces that each object in the library has the PIC flag
to prevent a mixture of PIC / non-PIC objects within it.

Ref: 96a940308 ("tools: libressl: always build as PIC")
Signed-off-by: Michael Pratt <mcpratt@pm.me>
2022-07-31 18:46:23 +02:00
Andre Heider
5451b03b7c tools/libressl: bump to v3.5.3
This includes API additions required for u-boot v2022.07 and Python 3.10.

https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.5.0-relnotes.txt
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.5.1-relnotes.txt
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.5.2-relnotes.txt
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.5.3-relnotes.txt

Signed-off-by: Andre Heider <a.heider@gmail.com>
2022-07-20 13:02:57 +02:00
Josef Schlehofer
25534d5cc2 tools/libressl: update to version 3.4.3
Release notes:
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.4.3-relnotes.txt

```
It includes the following security fix:

    * A malicious certificate can cause an infinite loop.
      Reported by and fix from Tavis Ormandy and David Benjamin, Google.
```

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2022-06-19 12:31:02 +02:00
Josef Schlehofer
495c4f4e19 tools/libressl: update to version 3.4.2
Release notes:
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.4.2-relnotes.txt

```
It includes the following security fix

  * In some situations the X.509 verifier would discard an error on an
    unverified certificate chain, resulting in an authentication bypass.
    Thanks to Ilya Shipitsin and Timo Steinlein for reporting.
```

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2022-03-01 00:08:08 +01:00
Rosen Penev
03bb3412a2 tools/libressl: update to 3.4.1
Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-11-02 10:00:32 -10:00
Rosen Penev
f78ad901e1 tools/libressl: update to 3.3.4
Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-09-05 21:28:55 +02:00
Rosen Penev
bf4dbbb55e tools/libressl: update to 3.3.3
Fix wrong FPIC variable usage. Fixes compilation under sparc64 host.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-06-20 15:20:54 -10:00
Rosen Penev
31554e50d2 ccache: update to 4.1
Upstream switched to building with CMake. Adjust accordingly.

Reapplied patch as upstream changed the file format.

Added HOST_BUILD_PARALLEL for faster compilation.

Added cmake tool dependency and removed circular dependencies as a
result.

Adjusted dependent tools to use NOCACHE as they are needed to build
ccache.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-12-31 10:03:21 +01:00
Rosen Penev
5950397e14 tools/libressl: update to 3.3.1
Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-12-18 20:44:43 +01:00
Yuan Tao
649e098ec0 tools/libressl: update to 3.2.1
libressl update to 3.2.1
Delete 001-dont-build-tests-man.patch
Add configure args :
--enable-static
--disable-tests

The patch (001-dont-build-tests-man.patch) no longer works with the current version.
Follow the patch notes:
Adding the --enable-static and --disable-tests parameters should replace the patch.

Signed-off-by: Yuan Tao <ty@wevs.org>
2020-09-18 20:08:51 +02:00
Daniel Engberg
0ffb7b02ba tools/libressl: Update to 3.0.2
Update libressl to 3.0.2 and remove 010-avoid-glibc.patch as fix is added by upstream

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2020-02-18 21:38:51 +01:00
Hans Dedecker
1282a63027 tools: libressl: fix compilation for non-glibc clib (FS#2400)
Fixes compilaton issue for non glibc clibs :

libtool: compile:  gcc -DPACKAGE_NAME=\"libressl\" -DPACKAGE_TARNAME=\"libressl\" -DPACKAGE_VERSION=\"2.9.2\" "-DPACKAGE_STRING=\"libressl 2.9.2\"" -DPACKAGE_BUGREPORT=\"\" -DPACKAGE_URL=\"\" -DPACKAGE=\"libressl\" -DVERSION=\"2.9.2\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_DLFCN_H=1 -DLT_OBJDIR=\".libs/\" -DHAVE_SYMLINK=1 -DHAVE_ERR_H=1 -DHAVE_ASPRINTF=1 -DHAVE_MEMMEM=1 -DHAVE_STRLCAT=1 -DHAVE_STRLCPY=1 -DHAVE_STRNDUP=1 -DHAVE_STRNLEN=1 -DHAVE_STRSEP=1 -DHAVE_TIMEGM=1 -DHAVE_SYSLOG=1 -DHAVE_ACCEPT4=1 -DHAVE_PIPE2=1 -DHAVE_POLL=1 -DHAVE_SOCKETPAIR=1 -DHAVE_EXPLICIT_BZERO=1 -DHAVE_GETAUXVAL=1 -DHAVE_GETAUXVAL=1 -DHAVE_DL_ITERATE_PHDR=1 -DHAVE_CLOCK_GETTIME=1 -DHAVE_VA_COPY=1 -DHAS_GNU_WARNING_LONG=1 -DSIZEOF_TIME_T=8 -I. -I../include -I../include/compat -DLIBRESSL_INTERNAL -D__BEGIN_HIDDEN_DECLS= -D__END_HIDDEN_DECLS= -I../crypto/asn1 -I../crypto/bn -I../crypto/ec -I../crypto/ecdsa -I../crypto/evp -I../crypto/modes -I../crypto -I/builds/pantacor/pv-platforms/openwrt-base/openwrt/staging_dir/host/include -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE -D__STRICT_ALIGNMENT -O2 -I/builds/pantacor/pv-platforms/openwrt-base/openwrt/staging_dir/host/include -fpic -Wall -std=gnu99 -fno-strict-aliasing -fno-strict-overflow -D_FORTIFY_SOURCE=2 -fstack-protector-strong -DHAVE_GNU_STACK -Wno-pointer-sign -MT compat/getprogname_linux.lo -MD -MP -MF compat/.deps/getprogname_linux.Tpo -c compat/getprogname_linux.c -o compat/getprogname_linux.o
compat/getprogname_linux.c: In function 'getprogname':
compat/getprogname_linux.c:32:2: error: #error "Cannot emulate getprogname"
 #error "Cannot emulate getprogname"
  ^~~~~

Reported-by: Anibal Portero <anibal.portero@pantacor.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-07-23 14:54:07 +02:00
Kevin Darbyshire-Bryant
8d6d227bb6 tools: libressl: fix build on MacOS
Making all in tests
depbase=`echo handshake_table.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
	gcc -DPACKAGE_NAME=\"libressl\" -DPACKAGE_TARNAME=\"libressl\" -DPACKAGE_VERSION=\"2.9.2\" -DPACKAGE_STRING=\"libressl\ 2.9.2\" -DPACKAGE_BUGREPORT=\"\" -DPACKAGE_URL=\"\" -DPACKAGE=\"libressl\" -DVERSION=\"2.9.2\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_DLFCN_H=1 -DLT_OBJDIR=\".libs/\" -DHAVE_SYMLINK=1 -DHAVE_ERR_H=1 -DHAVE_READPASSPHRASE_H=1 -DHAVE_ASPRINTF=1 -DHAVE_MEMMEM=1 -DHAVE_READPASSPHRASE=1 -DHAVE_STRLCAT=1 -DHAVE_STRLCPY=1 -DHAVE_STRNDUP=1 -DHAVE_STRNLEN=1 -DHAVE_STRSEP=1 -DHAVE_TIMEGM=1 -DHAVE_GETPROGNAME=1 -DHAVE_SYSLOG=1 -DHAVE_POLL=1 -DHAVE_SOCKETPAIR=1 -DHAVE_ARC4RANDOM=1 -DHAVE_ARC4RANDOM_BUF=1 -DHAVE_ARC4RANDOM_UNIFORM=1 -DHAVE_TIMINGSAFE_BCMP=1 -DHAVE_CLOCK_GETTIME=1 -DHAVE_VA_COPY=1 -DHAVE___VA_COPY=1 -DSIZEOF_TIME_T=8 -I.  -I../include -I../include/compat -DLIBRESSL_INTERNAL -D__BEGIN_HIDDEN_DECLS= -D__END_HIDDEN_DECLS= -I ../crypto/modes -I ../crypto/asn1 -I ../ssl -I ../tls -I ../apps/openssl -I ../apps/openssl/compat -D_PATH_SSL_CA_FILE=\"../apps/openssl/cert.pem\" -I/Users/kevin/wrt/staging_dir/host/include  -D__STRICT_ALIGNMENT  -O2 -I/Users/kevin/wrt/staging_dir/host/include  -fpic -Wall -std=gnu99 -fno-strict-aliasing  -fno-strict-overflow -D_FORTIFY_SOURCE=2 -fstack-protector-strong  -Qunused-arguments -Wno-pointer-sign -MT handshake_table.o -MD -MP -MF $depbase.Tpo -c -o handshake_table.o handshake_table.c &&\
	mv -f $depbase.Tpo $depbase.Po
make[4]: *** No rule to make target `/Users/kevin/wrt/build_dir/host/libressl-2.9.2/crypto/.libs/libcrypto_la-cpuid-macosx-x86_64.o', needed by `handshake_table'.  Stop.
make[3]: *** [all-recursive] Error 1

A similar error & clues from
e783d60473

"
LibreSSL 2.9.1 now has a test that requires libtls.a, however, when building a
shared library only build, the --disable-static flag is passed to libressl,
which prevents the building of libtls.a.

With libtls.a not being built, the following error occurs:
libressl-2.9.1/tls/.libs/libtls.a', needed by 'handshake_table'.  Stop.

There are three options to fix this:
1) Stick with autotools, and provide a patch that removes building anything in
   the tests folder.
2) Pass --enable-static to LIBRESSL_CONF_OPTS
3) Change the package type to cmake, as a cmake build does not have this issue."

It appears we cannot change to cmake because cmake has a dependency on
an ssl library.

Take option 1 and do not build the tests.

Also take the opportunity to remove man page building as well.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-07-22 17:06:04 +01:00
Roman Yeryomin
3f1e8c0131 tools: libressl: update to 2.9.2 version
To keep in sync with OpenSSL 1.1.x branch version options.

Signed-off-by: Roman Yeryomin <roman@advem.lv>
2019-07-21 10:51:43 +02:00
Thorsten Glaser
a395563f68 build: fix libressl build on x32 (amd64ilp32) host
disable use of assembly code since x32 gets misdetected as amd64

Signed-off-by: Thorsten Glaser <tg@mirbsd.org>
2018-11-01 17:16:52 +01:00
Rosen Penev
74a5c619dc tools/libressl: Add PKG_CPE_ID for proper CVE tracking
Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-10-16 19:16:28 +01:00
Daniel Engberg
6bdc6cdd04 tools/libressl: Update to 2.8.1
Update libressl to 2.8.1

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-10-07 02:10:15 +02:00
Hauke Mehrtens
2c192b6916 tools/libressl: update to version 2.7.2
Libressl version 2.7.0 and later implement more of the OpenSSL 1.1 API
and this needs some modifications of the code using it.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-04-28 15:29:28 +02:00
Hannu Nyman
b4a46f0764 tools/libressl: update to 2.6.4
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2018-01-17 08:52:54 +01:00
Hannu Nyman
d7a3120cdc tools/libressl: update to 2.5.4
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2017-05-25 19:01:07 +02:00
Daniel Engberg
e45ee66149 tools/libressl: Update to 2.5.1
Update libressl to 2.5.1

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-03-20 08:24:13 +01:00
Matthias Schiffer
96a940308b
tools: libressl: always build as PIC
Fixes link errors for host packages like ruby like the following:

/usr/bin/ld: .../staging_dir/host/lib/libcrypto.a(libcrypto_la-md5_dgst.o):
relocation R_X86_64_PC32 against symbol `memcpy@@GLIBC_2.14' can not be used when making a shared object; recompile with -fPIC

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-01-10 22:15:37 +01:00
Felix Fietkau
2fd5ce9488 libressl: disable shared libraries, fixes build issues
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-12-28 01:22:26 +01:00
Felix Fietkau
720b99215d treewide: clean up download hashes
Replace *MD5SUM with *HASH, replace MD5 hashes with SHA256

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-12-16 22:39:22 +01:00
Daniel Engberg
ee7ef227f0 tools/libressl: Update to 2.5.0 and use mirrors
Updates LibreSSL to 2.5.0 and switches from main site to mirrors as primary source.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2016-10-15 11:36:51 +02:00
Waldemar Brodkorb
f7fb6e49f2 build: allow to build LEDE on latest MacOS X
Latest Xcode doesn't include openssl anymore. To compile
mkimage from u-boot source you need SSL headers on your host.
This patch provides libressl host package for any Darwin
compilation. Unfortunately openssl from MacPorts can not be
used, as the installed headers in /opt/local are breaking
GDB compilation. Tested with a RB532 image build and resulting
kernel booted on a device via TFTP.

Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [fixes, dependencies]
2016-06-07 08:58:41 +02:00